Critical Vulnerability in WPvivid Backup & Migration Plugin Exposes 900,000 WordPress Sites
A significant security flaw has been identified in the WPvivid Backup & Migration plugin for WordPress, which is currently active on over 900,000 websites.
This vulnerability permits remote code execution through the unauthorized uploading of files, risking a complete compromise of the affected websites.
Designated as CVE-2026-1357, this issue has received a critical severity rating of 9.8. It affects all iterations of the plugin up to version 0.9.123, potentially leading to total control being seized by malicious actors.
Despite the gravity of the situation, experts from the security firm Defiant have clarified that only those sites with the non-default setting allowing receiving backups from external sources are at elevated risk.
Moreover, the risk is mitigated by a time-sensitive exploitation window of just 24 hours, correlating to the duration a generated key remains valid for backup transfers from other sites.
Nevertheless, given the plugin’s frequent use for migrations and backup operations, many site administrators may inadvertently activate this feature, heightening vulnerability.
Researcher Lucas Montes, known as NiRoX, first reported this vulnerability to Defiant on January 12, revealing that the root cause lies in inadequate error handling during RSA decryption, compounded by insufficient path sanitization.
Specifically, should the openssl_private_decrypt() function encounter a failure, the plugin fails to terminate its operations, subsequently funneling the failed result into the AES (Rijndael) process.
This oversight causes the cryptographic library to interpret the outcome as a sequence of null bytes, thereby generating a predictable encryption key that can be exploited by attackers to create harmful payloads that the plugin would unwittingly accept.
Additionally, the plugin lacks necessary safeguards to sanitize uploaded file names, allowing a directory traversal risk. This oversight enables the uploading of deleterious PHP files outside the designated backup directory, facilitating remote code execution.
On January 22, Defiant alerted the vendor, WPVividPlugins, following confirmation of the proof-of-concept exploit. A security patch addressing CVE-2026-1357 was subsequently released in version 0.9.124 on January 28.
The remediation efforts have introduced multiple enhancements: halting execution upon RSA decryption failure, implementing filename sanitization procedures, and restricting file uploads to sanctioned backup file formats, such as ZIP, GZ, TAR, and SQL.
Users of the WPvivid Backup & Migration plugin are urged to recognize the threats posed by this vulnerability and to upgrade to version 0.9.124 without delay.
Source link: Bleepingcomputer.com.
